I have searched, without joy, for code (using MadSecurity) to set the permissions on one file.We have one file that is used for licensing. If the user deletes the file (by accident) it causes trouble and takes time to get it replaced.I want to set permissions on the file, for all groups/user names, to deny all actions except read. That should prevent deleting the file until ownership is taken, right?

> Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.

I concur. The file deletion mistake has only happened with a couple of users but, if I can code something (in my program) to prevent the deletion or at least make it harder to delete the file, it might save some trouble and prevent a little bit of ill will.

As to the permissions, I assume if the user has administrator rights, setting the permissions to only "read and read & execute", has no real power to prevent deletion?

I ask because I have administers rights and a couple of times over the years I had to take ownership of a file to delete it and that is what I am attempting to duplicate with the one file.

IIRC it doesn't matter whether you're admin or not. If you don't have explicit (either by user name or user group) rights to delete the file, then you can't delete it. Of course as an admin you can take ownership. I don't think you can prevent that, without resorting to those overkill methods.

In the end madSecurity is really only a wrapper around the win32 APIs. Maybe something weird is going on in the depths of the win32 APIs, I don't really know. You did do the "ProtectedDAcl := false", too, didn't you?